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Abstract 

A recent paper of Xiao (Cryptology ePrint Technical Report, May 20 1 1 ) constructs economic mecha- 
nisms that are simultaneously truthful and differentially private, improving previous results of McSherry 
and Talwar (FOCS 2007) and Nissim, Smorodinsky, and Tennenholtz (CoRR, April 2010 and ITCS 
2012). Xiao's paper also argues that this conjunction of truthfulness and differential privacy may not 
be sufficient to elicit truthful behavior from player that value privacy. Specifically, he gives an example 
of a mechanism that is truthful and differentially private, but where truthfulness is lost if one includes a 
particular measure of privacy cost in the players' utility functions (namely, mutual information between 
the player's type and the outcome). 

In this paper: 

• We propose a new, more general way of modelling privacy in players' utility functions. Specifi- 
cally, we only assume that if an outcome o has the property that any report of player / would have 
led to o with approximately the same probability, then o has small privacy cost to player /. 

• We give three mechanisms that are truthful with respect to our modelling of privacy: for an election 
between two candidates, for a discrete version of the facility location problem, and for a general 
social choice problem with discrete utilities (via a VCG-like mechanism). As the number n of 
players increases, the social welfare achieved by our mechanisms approaches optimal (as a fraction 
of n). 
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1 Introduction 



In this paper, we examine the interaction between mechanism design and differential privacy. Tliis work is 
motivated by considerations in both fields. 

In mechanism design, it has long been recognized that players may not behave as predicted due to tradi- 
tional incentives analysis out of concerns for privacy: in addition to having preferences about the outcome 
of a mechanism (e.g. who wins an auction, or where a hospital is located), they may also be concerned 
about what others learn about their private information (e.g. how much they value the auctioned good, or 
whether they have some medical condition that makes them care more about the hospital's location). The 
latter concerns are not modelled in most works on mechanism design, and it is natural to try to bring the 
new models and techniques of differential privacy to bear on them. 

From the perspective of differential privacy, it is now well-understood that privacy is not an absolute 
notion, but rather a quantitative one that needs to be weighed against other objectives. Indeed, differentially 
private algorithms typically offer a tradeoff between the level of privacy offered to individuals in a database 
and the accuracy of statistics computed on the database, which we can think of as a "global" objective to be 
optimized. However, it is also of interest to consider how privacy should be weighed against the objectives of 
the individuals themselves. Mechanism design provides a natural setting in which to consider such tradeoffs. 
Attempting to model and reason about privacy in the context of mechanism design seems likely lead to an 
improved understanding about the meaning and value of privacy. 

1.1 Previous Work 

The first work bringing together differential privacy and mechanism design was the work of McSherry and 
Talwar IIMT071 . They showed how to use differential privacy as a tool for mechanism design. By definition, 
differentially private algorithms are insensitive to individuals' inputs; a change in a single individual's input 
to the algorithm has only a small effect on the output distribution of the algorithm. Thus, if a mechanism is 
differentially private (and players have bounded utility functions), it immediately follows that the mechanism 
is approximately truthful. That is, reporting untruthfully can only provide a small gain in a player's utility. 
With this observation, McSherry and Talwar showed how tools from differential privacy can be used to 
construct approximately truthful mechanisms for many problems, including ones where exact truthfulness 
is impossible. 

However, as pointed out by Nissim, Smorodinsky, and Tennenholtz BNSTIOL the approximate truth- 
fulness achieved by McSherry and Talwar IIMT0 71 may not be a satisfactory solution concept. Just like 
differential privacy guai^antees that a player can't gain much by lying, it also means that a player can't gain 
much by telling the truth. Thus players might choose to lie in order to protect their privacy. Motivated by 
this, Nissim et al. show how to modify some of the mechanisms of McSherry and Talwar IIMT07II to provide 
exact truthfulness. In doing so, however, they sacrifice differential privacy. 

A recent paper by Xiao HXialll shows how to remedy this deficiency and construct mechanisms that 
simultaneously achieve exact truthfulness and differential privacy. Xiao's paper also points out that even this 
combination may not be sufficient for getting players that value privacy to report truthfully. Indeed, exact 
truthfulness only means that a player weakly prefers to tell the truth. Lying might not reduce the player's 
utility at all (and differential privacy implies that it can only reduce the player's utility by at most a small 
amount). On the other hand, differential privacy does not guarantee "perfect" privacy protection, so it is 
possible that a player's concern for privacy may still outweigh the small or zero benefit from being truthful. 

To address this, Xiao BXiall l advocated incorporating privacy directly into the players' utility functions, 
and seeking mechanisms that are truthful when taking the combined utilities into account. He proposed to 
measure privacy cost as the the mutual information between a player's type (assumed to come from some 
prior distribution) and the outcome of the mechanism. Using this measure, he showed that his mechanism 
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does not remain truthful when incorporating privacy into the utility functions, and left as an open problem 
to construct mechanisms that do. 

1.2 Our Contributions 

In this paper: 

• We propose a new, more general way of modelling privacy in players' utility functions. Unlike Xiao's 
mutual information measure, our model does not require assuming a prior on players' types, and is 
instead a pointwise model: we simply assume that if an outcome o has the property that any report of 
player / would have led to o with approximately the same probability, then o has small privacy cost to 
player /. One motivation for this assumption is that such an outcome o will induce only a small change 
in a Bayesian adversary's beliefs about player / (conditioned on the other players' reports). (This is 
inspired by a Bayesian interpretation of differential privacy due to Dwork and McSherry IIDwo06ll .) 
While Xiao's mutual information measure is not strictly a special case of our model, we show that 
truthfulness with respect to our modelling implies truthfulness with respect to Xiao's. 

• We give three mechanisms that are truthful with respect to our modelling of privacy: for an election 
between two candidates, for a discrete version of the facility location problem, and for a general 
social choice problem with discrete utilities (via a VCG-like mechanism). As the number n of players 
increases, the social welfare achieved by our mechanisms approaches optimal (as a fraction of n). Our 
mechanisms are inspired by Xiao's mechanisms, but with some variations and new analyses to obtain 
truthfulness when taking privacy into account. For the election and facility location mechanisms, we 
can establish universal truthfulness — truthfulness for every choice of the mechanism's random coins. 
For our VCG-like mechanism for general social choice problems, we need to work a bit harder to also 
ensure that the payments requested do not compromise privacy, and this leads us to only achieve 
truthfulness in expectation. 

In a nutshell, our proofs of universal truthfulness consider two cases for every fixing of the player's 
reports and coin tosses of the mechanism: If a player misreporting does not affect the outcome of the 
mechanism, then that player is completely indifferent between truth-telling and misreporting, even 
taking privacy into account. On the other hand, if the player misreporting does change the outcome 
of the mechanism, then being truthful provides a noticeable gain in utility (for the mechanisms we 
consider) while differential privacy ensures that the privacy cost of the outcome is still small. Thus, 
this analysis allows us to argue that the benefit of truthfulness outweighs privacy cost even when a 
player has a tiny probability of affecting the outcome (e.g. in a highly skewed election using a majority 
vote with random noise). Indeed, our key observation is that the expected privacy cost is also tiny in 
such case. 

1.3 Other Related Work 

Independently of our work, Nissim, Orlandi, and Smorodinsky UNOSllll have considered a related way 
of modelling privacy in players' utilities and constructed truthful mechanisms under their model. They 
assume that if all outcomes o have the property that no player's report affects the probability of o much (i.e. 
the mechanism is differentially private), then the overall privacy cost of the mechanism is small for every 
player. This is weaker than our assumption, which requires an analogous bound on the privacy cost for each 
specific outcome o. Indeed, Nissim et al. UNOSllll do not consider a per-outcome model of privacy, and 
thus do not obtain a reduced privacy cost when player has a very low probability of affecting the outcome 
(e.g. a highly skewed election). Consequently, they establish truthfulness for contexts in which a player can 
receive a personal benefit for reporting truthfully independent of how the report affects the outcome. For 
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example, in the case of an election between two choices (also considered in their paper), they require that 
a player directly benefits from reporting their true choice (e.g. because the choice is a magazine that they 
can receive), whereas we consider a more standard election where the players only receive utility for their 
preferred candidate winning (minus any costs due to privacy). 

Another recent paper that considers a combination of differential privacy and mechanism design is that 
of Ghosh and Roth MGRllll . They consider a setting where each player has some private information and 
some value for its privacy (measured in a way related to differential privacy). The goal is to design a 
mechanism for a data analyst to compute a statistic of the players' private information as accurately as 
possible, by purchasing data from many players and then performing a differentially private computation. In 
their model, players may lie about their value for privacy, but they cannot provide false data to the analyst. 
So they design mechanisms that get players to truthfully report their value for privacy. In contrast, we 
consider settings where players may lie about their data (their private types), but where they have a direct 
interest in the outcome of the mechanism, which we use to outweigh their value for privacy (so we do not 
need to explicitly elicit their value for privacy). 

We remark that there have also been a number of works that consider secure-computation-like notions 
of privacy for mechanism design problems (see [NPS99, DHROO, IML05, PRST08. BS08, FJSIO] for some 
examples). In these works, the goal is to ensure that a distributed implementation of a mechanism does not 
leak much more information than a centralized implementation by a trusted third party (or alternatively, that 
the players do not need to leak more information than necessary to the centralized implementation). In our 
setting, we assume we have a trusted third party to implement the mechanism and are concerned with the 
information leaked by the outcome itself. 

2 Background on Mechanism Design 

In this section, we introduce the standard framework of mechanism design to lay the ground for modelling 
privacy in the context of mechanism design in next section. We use a running example of an election between 
two candidates. 

A (deterministic) mechanism is given by the following components: 

• A number n of players. For example, these might be the n voters in an election between two candidates 
A and B. 

• A set of player types. In the election example, we take = [A, B], where 9i e indicates which of 
the two candidates is preferred by voter / € [n]. 

• A set O of outcomes. In the election example, we take O = [A, B}, where the outcome indicates which 
of the two candidates win. (Note that we do not include the tally of the vote as part of the outcome. 
This turns out to be significant for privacy.) 

• Players' action spaces X, for all / e [n]. In general, a player's action space can be different from his 
type space. However, in this paper we view the types in to be values that we expect players to know 
and report. Hence, we require X, = for all / € [n] (i.e. we restrict to direct revelation mechanisms, 
which is without loss of generality). In the election example, the action of a player is to vote for A or 
vote for B 

• An outcome function At : Xi x • • • xX„ — > O that determines an outcome given players' actions. Since 
we require X, = 0, the outcome function becomes A1 : 0" ^ O. For example, a majority voting 
mechanism's action function maps the votes of players to a winning candidate who receives majority 
of all votes. 
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• Player-specific utility functions Ut : @ x O ^ M. for i - \, . . . ,n, giving tlie utility of player / as a 
function of his type and the outcome. 

To simplify notation, we use a mechanism's action function to represent the mechanism. That is, a 
mechanism is denoted M . @" ^ O. The goal of mechanism design is then to design a mechanism 
M . &" ^ O that takes players' (reported) types and selects an outcome so as to maximize some global 
objective function (e.g. the sum of the players' utilities, known as social welfare) even when players may 
falsely report their type in order to increase their personal utility. The possibility of players' misreporting is 
typically handled by designing mechanisms that are incentive-compatible, i.e. it is in each player's interest 
to report their type honestly. A strong formulation of incentive compatibility is the notion of truthfulness 
(a.k.a. dominant-strategy incentive compatibility): for all players /, all types 6i e 0, all alternative reports 
0'- € 0, and all profiles 9-i of the other players' report^ we have: 

Uii9i, MiOi, e-i)) > UiiOi, Mi9'i, e-i)). (2. 1) 

If Inequality (12.11 ) holds for player / (but not necessarily all players), we say that the mechanism is truthful for 
player i. Note that we are using here as both the type and the report of other players. Since truthfulness 
must hold for all possible reports of other players, it is without loss of generality to assume that other players 
report their true type. This is in contrast to the notion of a Nash equilibrium which refers to the incentives 
of player / under the assumption that other players are using equilibrium strategies. 

In the election example, it is easy to see that standard majority voting is a truthful mechanism. Changing 
one's vote to a less-preferred candidate can never increase one's utility (it either does not affect the outcome, 
or does so in a way that results in lower utility). 

In this paper, we will allow randomized mechanisms, which we define as M : &" x "R ^ O, where K is 
the probability space from which the mechanism makes its random choices (e.g. all possible sequences of 
coin tosses used by the mechanism).We write M{9) to denote the random variable obtained by sampling r 
from K and evaluating M{d; r). This (non-standard) definition of a randomized mechanism is equivalent to 
the standard one (where the mechanism is a function from reported types to a distribution over outcomes) 
and makes our analysis clearer. 

For randomized mechanisms, one natural generalization of truthfulness is truthfulness in expectation: 
for all players /, all types 9i, all utility functions Ui, all reports 9'^, and all profiles 9-i of the other players' 
reports, we have: 

B[Ui{9i,M{9i,9-i))] > E[9i, Ui{M{9'.,9.i))], 

where the expectation is taken over the random choices of the mechanism. 

A stronger notion is that of universal truthfulness: for all players /, all types 9i and utility functions Ui, 
all alternative reports 9'., and all profiles 9-i of the other players' reports, and all r €'R,'we have: 

Ui{9i,M{9i,9-i;r)) > Ui{9iM{9[,9-i;r)). 

Thus M being universally truthful is equivalent to saying that for every r e 'R, M(- ; r) is a deterministic 
truthful mechanism. 

3 Modelling Privacy in Mechanism Design 

The standard framework of mechanism design does not consider a player's value of privacy. In this section, 
we incorporate privacy into mechanism design and adapt the definitions of truthfulness accordingly. 

'We adopt the standard game-theory convention that 9-j refers to all components of the vector 9 except the one corresponding 
to player /, and that (9j, (?_,) denotes the vector obtained by putting 6, in the i'th component and using for the rest. 
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3.1 Modelling Privacy 

We continue considering the mechanism design setting. But players care not only about the outcome of the 
mechanism, but also what that outcome reveals about their private types. Thus, a player's utility becomes 

Ui^Ul'" + uf\ (3.1) 

where U""' : x O ^ R is player /'s utility for the outcome and U^"^ is player Vs utility associated with 
privacy or information leakage. Before discussing the form of JJ^"''' (i.e. what are its inputs), we note 
that in Equation (13.11) . there is already an implicit assumption that privacy can be measured in units that 
can be linearly traded with other forms of utility. A more general formulation would allow Uj to be an 
arbitrary monotone function of U°"^ and U^^" , but we stick with the standard quasi-linearity assumption for 
simplicity. 

Now, we turn to functional form of U'.''" . First, we note that ?7|"^" should not just be a function of player 
/'s type and the outcome. What matters is Xht functional relationship between player /'s reported type and 
the outcome. For example, a voting mechanism that ignores player /'s vote should have zero privacy cost to 
player /, but one that uses player Ts vote to entirely determine the outcome may have a large privacy cost. 
So we will allow ?7|"^" to depend on the mechanism itself, as well as the reports of other players, since these 
are what determine the functional relationship between player /'s report and the outcome: 

Uf^ : X O X {At : 0" X ^ O) X 0"*^ ^ R. (3.2) 

Thus, when the reports of the n players are ff e 0" and the outcome is o, the utility of player / is 

UiiGi, o, M, C,.) = Ul"\eu o) + uf\Bu o, M, G'_;). 

In particular, Ui has the same inputs as J//"""' above, including M. Unlike standard mechanism design, 
we are not given fixed utility functions and then need to design a mechanism with respect to those utihty 
functions. Our choice of mechanism affects the utility functions too ! 

Note that we do not assume that Uf"^ is always negative (in contrast to Xiao llXiallll ). In some cases, 
players may prefer for information about them to be kept secret and in other cases they may prefer for it to 
be leaked (e.g. in case it is flattering). Thus, U'i'"^ may be better thought of as "informational utility" rather 
than a "privacy cost". 

It is significant that we do not allow the Uf"^ to depend on the report or, more generally, the strategy 
of player /. This is again in contrast to Xiao's modelling of privacy llXiallll . We will discuss the motivation 
for our choice in Section 16. 1[ and also show that despite this diff'erence, truthfulness with respect to our 
modelling implies truthfulness with respect to Xiao's modelling (Section [d!2l ). 

Clearly no mechanism design would be possible if we make no further assumptions about the Uf"^''s 
and allow them to be arbitrary, unknown functions (as their behavior could completely cancel the U""''s). 
Thus, we will make the natural assumption that U^"^ is small if player /'s report has little influence on the 
outcome o. More precisely: 



Assumption 3.1 (privacy- value assumption). 



yeee",oeO,M: 



uriOi,o,M,e-i) 



max 



Vv[M{e'^,9-i) = o\ 



W,'^®Vx[M{e'{,G.i) = o\ 



where f , : [1, oo) ^ [0, oo] is a privacy-bound function with the property that Fi{x) sls x ^ 1, and the 
probabilities are taken over the random choices of M. 
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Note that if the mechanism ignores player /'s report, then the right-hand side of (13.11 ) is which 
naturally corresponds to a privacy cost of 0. Thus, we are assuming that the privacy costs satisfy a continuity 
condition as the mechanism's dependence on player /'s report decreases. For simplicity, the privacy-bound 
function F, can be thought of as being the same for all players, but we allow it to depend on the player for 
sake of generality. 

Assumption (13.11 ) is inspired by the notion of differential privacy, which we restate in our notation: 



Definition 3.2 (^ IIDN031 lDN04l IBDMN05[ IDMNS061I ). A mechanism M : @" xli ^ Ris e-differentially 
private iff 



By inspection of Assumption (13.11 ) and the definition of differential privacy, we have the following result. 

Proposition 3.3. If Ai is e-differentially private, then for all players i whose utility functions satisfy As- 
sumption l[3.1\l . all 6-i € 0"^^ and o e O, we have 



In particular, as we take e ^ 0, the privacy cost of any given outcome tends to 0. 

Like differential privacy. Assumption (13.11 ) makes sense only for randomized mechanisms. Also like 
differential privacy. Assumption (13.11 ) only measures the loss in privacy contributed by Player /'s report 
when fixing the reports of the other players. In some cases, it may be that the other players' reports already 
reveal a lot of information about player /. See Section [6] for further discussion, interpretation, and critiques 
of our modelling. 

3.2 Truthfulness with Privacy 

Once we model privacy as above, the definitions of truthfulness with privacy are direct analogues of the 
basic definitions given earlier. 

Definition 3.4 (truthfulness with privacy). Consider a mechanism design problem with n players, type space 
0, and outcome space O. For a player / with utility function Ui = U°"' -i- Uf"^', we say that a randomized 
mechanism M : &" xK ^ O is truthful in expectation for player i if for all types 9i € 0,-, all alternative 
reports 9'. € for player /, and all possible profiles 6-i of the other players' reports, we have: 



We say that M is universally truthful for player i if the inequality further holds for all values of r e'R: 



Note that, unlike in standard settings, M being universally truthful does not mean that the deterministic 
mechanisms M{-;r) are truthful. Indeed, even when we fix r, the privacy utility Uf"\0,o, M,e-i) still 
depends on the original randomized function At, and the privacy properties of M would be lost if we 
publicly revealed r. What universal truthfulness means is that player / would still want to report truthfully 
even if she knew r but it were kept secret from the rest of the world. 

Using Proposition 13. 3[ we will sometimes be able to obtain truthful mechanisms taking privacy into 
account by applying tools from differential privacy to mechanisms that are already truthful when ignoring 
privacy. 

Indeed, consider the following differentially private version of the basic 2-candidate election mechanism: 





Uf'''\9i,o,M,9.i) <Fi{e% 



BWm, M{9i, 9.i), M, 9.i)] > E[Ui{9i, AK^,', M, 0-,)]. 



Uii9i, Mi9i, 9.1, r), M, 9-d > Um, M{9\, 9-i), M, 9^i; r). 
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Mechanism 3.5. Differentially private election mechanism 
Input: profile 9 e {A, B}" of votes, privacy parameter e > 0. 

1. Choose r e Z from a discrete Laplace distribution, namely Pr[r = k] oc exp(-e|^|). 

2. If #{/ : 9i = A}- #{i : 6*, = B) > r, output A. Otherwise output B. 

We show that for sufficiently small e, this mechanism is truthful for players satisfying Assumption 13. II 
Theorem 3.6. Mechanism \3. 5\ is universally truthful for player i provided that, for some function F,-; 

1. Player i's privacy utility U^"^ satisfies Assumption \3. 1 1 with privacy bound function Fj, and 

2. V^^'iOi, 9i) - V^^'iOi, ^9i) > 2Fi{e% 

Note that Condition |2] holds for sufficiently small e > (since ^ as a; — > 1). The setting 

of e needed to achieve truthfulness depends only on how much the players value their preferred candidate 
(measured by the left-hand side of Condition O and how much they value privacy (measured by the right- 
hand side of Condition 12]), and is independent of the number of players n. 

Proof. Fix the actual type 6j e {A, B} of player /, a profile O^i of reports of the other players, and a choice r for 
Al's randomness. The only alternate report for player / we need to consider is 9'. = ^9i. Let o - M{9i, 9^i; r) 
and o' - M{^9i, 9-i; r). We need to show that 

Ui{9i, o, M, 9.i) > Um, o', M, 9.U r), 

which is equivalent to 

UT"{9i, o) - U^"\9i, o') > Uf\9i, o', M, 9-i) - uf\9i, o, M, 9.i). (3.3) 
We consider two cases: 

Case \: o - o' In this case. Inequality (13.31 ) holds because both the left-hand and right-hand sides are zero. 

Case 1: o t o' This implies that o - 9i and o' - ^9i. (If player /'s report has any effect on the outcome of 
the differentially private voting mechanism, then it must be that the outcome equals player /'s report.) 
Thus the left-hand side of Inequality ^3 equals U1"\9i, 9i) - Uf"'i9i, -^9i). By Proposition O the 
right-hand side of Inequality (13.31 ) is at most 2F{e^). Thus, Inequality (13.31 ) holds by hypothesis. 

□ 

Of course, truthfulness is not the only property of interest. After all, a mechanism that is simply a 
constant function is (weakly) truthful. Another property we would like is economic efficiency. Typically, 
this is defined as maximizing social welfare, the sum of players' utilities. Here we consider the sum of 
outcome utilities for simplicity. As is standard, we normalize players' utilities so that all players are counted 
equally in measuring the social welfare. In our voting example, we wish to maximize the number of voters' 
whose preferred candidates win, which is equivalent to normalizing the left-hand side of Condition |2] in 
Theorem l3.6l to 1. Standard, deterministic majority voting clearly maximizes this measure of social welfare. 
Our mechanism achieves approximate efficiency: 

Proposition 3.7. For every profile 9 e 0" of reports, if we select o <— A\{9) using Mechanism \3.5\ then: 
1. Pr [#{/ : 9i = o\< max,/gjA,B)#{/ : 9i = o') - A] < e''^. 
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2. E [#{/ : 9i = o}] > maXo>eiA,B]#{i ■ di ^ o'} - \/e. 

Thus, the number of voters whose preferred candidate wins is within 0(1 /e) of optimal, in expectation 
and with high probability. Note that this deviation is independent of n, the number of players. Thus if 
we take e to be a small constant (as suffices for truthfulness) and let « — > oo, the economic efficiency 
approaches optimal, when we consider both as fractions of n. This also holds for vanishing e = e{n), 
provided e = (jj{\ln). 

This analysis considers the social welfare as a sum of outcome utilities (again normalizing so that every- 
one values their preferred candidate by one unit of utility more than the other candidate). We can consider 
the effect of privacy utilities on the social welfare too. By Proposition 13.31 the privacy utilities affect the 
social welfare by at most 2,- Fiie'^), assuming player / satisfies Assumption 13.11 with privacy bound function 
Fi. If all players satisfy Assumption 13.11 with the same privacy bound function F, = F, then the effect on 
social welfare is at most n ■ F{e'^). By taking 6^0 (e.g. e = 1/ ^fn), the privacy utilities contribute a 
vanishing fraction of n. 



Proof of Proposition \3. 71 The maximum number of voters will be satisfied by taking the majority candidate 
o* = Maj(6'), where we break ties in favor of A. Let A' = #{/ : 0,- - o*} - #{/ : Qi = -.o*}. If o* - A, then 
-to* = B is selected iff the noise r is larger than A'. If o* = B, then -lo* = A is selected iff the noise r is 
smaller than or equal to -A'. Since r is chosen so that Pr[r = k] <x e"*^'^', the probability of selecting -lo* in 
either case is bounded as: 



Pr[Mi9) - -o*] < /rac J] e~'''J^ e^'*^' — < e 



k>A' keZ 



Now the high probability bound follows by considering the case that A' > A (otherwise the event occurs 
with probability 0). The expectation bound can be computed as follows: 



max #{/ : 0; - o'] - #{i : 0i - Mitheta)) 

o'e\A,B\ 



Pr [M(6') - -o*] • A' 



-eA' 

< A' 



< 



1 +e-^ 
1 1 



ee 1 + e""^ 
1 

< -, 
e 

where the second-to-last inequality follows from the fact that jce"*^^ is minimized at a: = 1/e. □ 

Another desirable property is individual rationality: players given the additional option of not partici- 
pating should still prefer to participate and report truthfully. This property follows from the same argument 
we used to establish universal truthfulness. By dropping out, the only change in outcome that player / can 
create is to make her less preferred candidate win. Thus, the same argument as in Theorem l3.6l shows that 
player / prefers truthful participation to dropping out. 

Proposition 3.8. Under the same assumptions as Theorem \3.6\ Mechanism \3. 51 is individually rational for 
player i. 



The analysis of truthfulness in Theorem 13.61 is quite general. It holds for any differentially private 
mechanism with the property that if a player can actually change the outcome of the mechanism by reporting 
untruthfully, then it will have a noticeable negative impact on the player's outcome utility. We abstract this 
property for use in analyzing our other mechanisms. 
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Lemma 3.9. Consider a mechanism design problem with n players, type space 0, and outcome space O. 
Let player i have a utility function Ui = U°^' + U'j'" satisfying Assumption \3.1\ with privacy bound function 
Fj. Suppose that randomized mechanism M : @" ^ O has the following properties: 

1. Ai is e-dijferentially private, and 

2. For all possible types 9i, all profiles Q^i of the other players ' reports, all random choices r of Ai, 
and all alternative reports 9'. for player i: if M{9i, r) M{9'., r), then U""'{9i, M{9i, 9^i; r)) - 
U''"'{9i,M{9'.,9.i;r))>2Fi{e'), 

Then A\ is universally truthful for player i. 

It is also illustrative and useful to consider what happens when we take the expectation over the mecha- 
nism's coin tosses. We can upper-bound the privacy utility as follows: 

Lemma 3.10. Consider a mechanism design problem with n players, type space 0, and outcome space O. 
Let player i have type 9i € 0; and a utility function Ui = U"'^' + Uf'^ satisfying Assumption \3.1\ Suppose 
that randomized mechanism A\ : S" X'R ^ O is e-differentially private. Then for all possible profiles 9-i of 
the other players' reports, all random choices r of M, and all alternative reports 9'. for player i, we have 

E[Uf"\9i, M(9i, 9.i), M, 0-,)] - nuf\9i, M{9'„ 9-i), M, 9-i)]\ < 2Fi(e') • SD(M(9i, 9-i), 9-i)), 

where SD denotes statistical difference^ 

Proof. For every two discrete random variables X and Y taking values in a universe 14, and every function 
f -.^l ^ [-1, 1], it holds that |E[/(X)] - E[/(F)]| < 2SD(X, Y). (The / that maximizes the left-hand side 
sets /(x) = 1 when Pr[X = x] > Vv{Y = x\ and sets f{x) = -1 otherwise.) Take a4 = 0,X = M{9i, 9-i), Y = 
M{9\,9-i), and /(o) - uf\9i,o,M,9-i)IFi{e^). By Proposition [331 we have f{o) e [-1, 1], completing 
the proof. □ 

By this lemma, to establish truthfulness in expectation, it suffices to show that the expected gain in out- 
come utility from reporting 9i instead of 9'^ grows proportionally with the statistical difference SD(A1(0, , 9-i), M{9'., 9-i)). 
(Specifically, it should be at least the statistical difference times 2Fj{e'^).) In Lemma [X9l the gain in out- 
come utility is related to the statistical difference by coupling the random variables M{9i, 9-i) and M{9'^, 9-i) 
according to the random choices r of M. Indeed, 

Vv[M{9i, 9-i- r) + M{9\, 9-i, r)] > SD(M(e,-, M{0., 9-i)). 

Thus, if the outcome-utility gain from truthfulness is larger than 2Fi(e'^) whenever Ad(9i, 9-i; r) + A\{9\, 9-i, r), 
then we have truthfulness in expectation (indeed, even universal truthfulness). 
We note that if yVl is differentially private, then 

^V){M{9i,9-i),M{9\,9-i)) <e'-\^ 0{e), 

for small e. By Lemma [3.10[ the expected difference in privacy utility between any two reports is at most 
0{Fi{e'^) ■ e). Thus, e-differential privacy helps us twice, once in bounding the pointwise privacy cost (as 
2Fi{e'^)), and second in bounding the statistical difference between outcomes. On the other hand, for mech- 
anisms satisfying the conditions of Lemma 13. 9[ the differential privacy only affects the expected outcome 



^The statistical difference (aka total variation distance) between two discrete random variables X and Y taking values in a 
universe V is defined to be SD{X, Y) = maxs^v I Pr[X e 5] - Pr[y e 5]|. 



9 



utility by a factor related to the statistical difference. This is why, by taking e sufficiently small, we can 
ensure that the outcome utility of truthfulness dominates the privacy cost. 

Lemma [3. 101 is related to, indeed inspired by, existing lemmas used to analyze the composition of dif- 
ferentially private mechanisms. These lemmas state that while differential privacy guarantees a worst case 
bound of 6 on the "privacy loss" of all possible outputs, this actually implies an expected privacy loss of 
0{e^). Such bounds correspond to the special case of Lemma [3.101 when = In and we replace the sta- 
tistical difference with the upper bound e'^ - \. These 0{e^) bounds on expected privacy loss were proven 
first in the case of specific mechanisms by Dinur, Dwork, and Nissim [DN03, DN04], and then in the case 
of arbitrary differentially private mechanisms by Dwork, Rothblum, and Vadhan BDRVIOII . In our case, the 
0{e^) bound does not suffice, and we need the stronger bound expressed in terms of the statistical difference. 
Consider the differentially private election when the vote is highly skewed (e.g. 2/3 vs. 1/3). Then a player 
has only an exponentially small probability (over the random choice r of the mechanism) of affecting the 
outcome, and so the expected outcome utility for voting truthfully is exponentially small. On the other hand, 
by Lemma [3.10[ the expected privacy loss is also exponentially small, so we can still have truthfulness. 

4 Discrete Facility Location 

In this section, we apply our framework to discrete facility location. Let Q - {€\ < ^'2 < ■ ■ • < c [0, 1] be 
a finite set of types indicating player's preferred locations for a facility on the unit interval and O - [0, 1]. 
Players prefer to have the facility located as close to them as possible: U""'{6i, o) - -\6i - o\. For example, 
the mechanism may be selecting a location for a bus stop along a major highway, and the locations {\,...,€q 
might correspond to cities along the highway where potential bus riders live. 

Note that the voting game we previously considered can be represented as the special case where 
- {0,1). This problem has a well-known truthful and economically efficient mechanism: select the 
location of the median report. Xiao MXialll gave a private and truthful mechanism for this problem based 
on taking the median of a perturbed histogram. His analysis only proved that the mechanism satisfies "ap- 
proximate differential privacy" (often called (e, 6) differential privacy). To use Proposition 13. 3[ we need the 
mechanism to satisfy pure e differential privacy (as in Definition l3.2l) . Here we do that for a variant of Xiao's 
mechanism. 

Mechanism 4.1. Differentially private discrete facility location mechanism 
Input: profile € 0" of types, privacy parameter e > 0. 

1. Construct the histogram h = {h\,...,hq) of reported type frequencies where hj is the number of 
reports Oj of type €j and ^ = |0|. 

2. Choose a random (nonnegative, integer) noise vector r = (ri , . . . , r^) € where the components rj 
are chosen independently such that Pr |^ry = A:j is proportional to exp(-e/:/2). 

3. Output the type corresponding to median of the perturbed histogram /j -1- r. That is, we output ^Med(/!+r)> 
where for z e we define Med(z) to be the minimum k € [q\ such that Zj > Zy=i:+i Zj)- 

Xiao's mechanism instead chooses the noise components rj according to a truncated and shifted Laplace 
distribution. Specifically, Pr[ry = k] is proportional to exp((e/2) ■ \k - t\) for k = 0, . . . , 2t and Pr[ry = ^] = 
for k > 2t, where t = 0(log(l/5)/e). This ensures that the noisy histogram h + r is {e,q6) differentially 
private, and hence the outcome ^Med(/i+r) is as well. Our proof directly analyzes the median, without pass- 
ing through the histogram. This enables us to achieve pure e differential privacy and use a simpler noise 
distribution. On the other hand, Xiao's analysis is more general, in that it applies to any mechanism that 
computes its result based on a noisy histogram. 
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Lemma 4.2. Mechanism \4. 1 1 is e-differentially private. 

Proof. Differential privacy requires that on any pair of histograms h, h' reachable by one player reporting 
different types, the probability of any particular outcome o = £j being selected differs by at most an e^ 
multiplicative factor. Since reporting a different type results in two changes to the histogram (adding to one 
type and subtracting from another), we show that on each such change the probability differs by at most an 
e^^^ factor. 

Consider two histograms h and h' that differ only by an addition or subtraction of 1 to a single entry. Let 
fj ^ N'^ map a vector s to the vector (sj + 1, s-^j) (i.e. identical except sj has been increased by 1). fj 
is an injection and has the property that if j is the median of h + s then j is also the median of h' + fj{s). 
Note that under our noise distribution, we have Pr[r - fjis)] = e^^'^ ■ Pr[r = s]. 

Then writing A1 as a function of h rather than 9, we have: 

Pr [Mih) = ej] = Pr [r = 5] 

i s.t. Med(/i+.v)= 

= e^/'-Pr[r = fj(s)] 

s s.t. Med(h+s)=j 

s s.t. Med(/i'+/^(.v))=; 
s' s.t. Med(/i'+.v')= j 

= e^l^ ■ Pr [M{h') = . 

A symmetric argument shows this is also true switching h and h' , which completes the proof. □ 

We note that the only property the above proof used about the noise distribution is that Pr[r = 5] < 
. Pj-|^^ - fji^s)]. This property does not hold for Xiao's noise distribution as described, due to it being 
truncated above at 2t, but would hold if his noise distribution was truncated only below. 
We next show that this mechanism is truthful and individually rational. 

Theorem 4.3. Mechanism \4. 1 \ is universally truthful and individually rational for player i provided that, for 
some function Ft: 

1. Player i's privacy utility Uf"^ satisfies Assumption \3. 1 1 with privacy bound function Fi, and 

2. For all 0,0' €@ such that Oi < o < o' or o' > o > 9i, we have U"^"{9u o) - Uf^'iOt, o') > IFiie"), 

In particular, if all players share the standard outcome utility function U°"\9i,o) - -\9i - o\ and have the 
same privacy bound function Fj - F, then the mechanism is universally truthful and individually rational 
provided that 

minK, -4l >2Fie'). 

So, for a fixed set of player types (preferred locations), we can take e to be a small constant and have 
truthfulness and individual rationality. 

Proof. Furthermore, essentially the same argument shows that the mechanism is also individually rational: 
given the additional option to protect privacy by not participating at all rather than just reporting a different 
type it is still optimal for players to report their true type. 

Fix r e N^, the randomness used by the mechanism and the reports of other players. Following 
Xiao HXiallL we think of r as representing the reports of some fictional additional players, and follow 
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the truthfulness reasoning for the standard, noiseless median mechanism. Suppose M{9i,d-i;r) - o and 
M{9'., O-f, r) = o' o. If Qi < o, then no other report of player / can reduce the median, so we must have 
o' > o. Thus, this change has moved the facility at least one location away from /'s preferred location. 
Similarly, if 0,- > o, we have o' < o so again the change is away from /'s preferred location. Therefore, 
universal truthfulness follows by Lemma [X9l For individual rationality, we can model non-participation as 
a report of a type ± that does not get included in the histogram. Again, any change of of the median caused 
by reporting ± will move it away from /'s preferred location. Thus A1 is individually rational. □ 

Proposition 4.4. Suppose that every player ihas the standard outcome utility function U'l'^\9i,o) - -\6i-o\. 
Then for every profile of types 6 e 0", if we choose o <— A\{0) using Mechanism \4.1\ we have 

1. Pr [i:,- U"^'\ei, o) < maxo' (Z,- U"^''\Bi, o')) - a] < ^ • e~^^li. 

2. E [Z,- U'l'^'iOi, o)] > max,y (i:, U1"'{9i, o')) - 0{q/e). 

Thus, the social welfare is within A = 0{q)/e of optimal, both in expectation and with high probability. 
Like with Proposition 13.71 these bounds are independent of the number n of participants, so we obtain 
asymptotically optimal social welfare as n — > oo. Also like the discussion after Proposition 13.71 by taking 
€ = e{n) to be such that e - o(l) and e - ca{\/n) (e.g. e = 1/ V'^)' the sum of privacy utilities is also a 
vanishing fraction of n (for participants satisfying Assumption 13.11 with a common privacy bound function 
F). 

Proof of Proposition W4\ Note that - 2^,- U'-"\9i, o') = hj-\{j-o'\, where h = {hi, . . . ,hq)is the histogram 
corresponding to 6. This social welfare is minimized by taking o' = Med(/j). Our mechanism, however, 
computes the optimal location for the noisy histogram h + r. We can relate the two as follows: 

i j 

< Y,ihj + rj)-\{j-o\ 

j 

j 

< rmnY,hj-\ij-o'\ + Y,rj 

j j 

= -max2][/f"'(0;,o') + 2]o- 

' j 

Thus, for the high probability bound, it suffices to bound the probability that YjJ fj > A. This in turn is 
bounded by q times the probability that any particular rj is at least A/q, which is at most e~'^^^'^. For the 
expectation bound, we have 



5 General Social Choice Problems 

In this section, we apply our framework to general social choice problems with discrete utilities using an 
adaptation of the Vickrey-Clarke-Groves (VCG) mechanism. In a social choice problem, we want to choose 
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an outcome o from a set O so as to maximize social welfare (the total utility that players assign to o). The 
voting and facility location problems examined in the previous sections are special cases of this general 
problem. In the general case we examine now, we won't assume any structure on the utility functions (other 
than discreteness), and thus we will need to use payments to incentive players to truthfully reveal their 
preferences. 

Specifically, the type f?,- € of a player will specify a utility U""'{Oi, o) € {0, 1, ... , M} for each outcome 
o. This could correspond, for example, to players having values for outcomes expressible in whole dollars 
with some upper and lower bounds. This assumption ensures a finite set of types and that if a player 
changes his reported value it must change by some minimum amount (1 with our particular assumption). 
Since we view the type as specifying the utilities for each outcome, all players will share the same outcome 
utility function U""' = U""'. In order to reason about individual rationality, we also assume that the set 
of types includes a type ± that corresponds to not participating (i.e. U'""{±,o) = 0) for all o and /)■ For 
notational convenience, we assume that O = {0, 1, . . . , |0| - 1). 

Our goal is to choose the outcome o* that maximizes social welfare (ignoring privacy), i.e. o* = 
argmax^gf^X, U""'{6i,o). A standard way to do so is the Groves mechanism, a special case of the more 
general VCG mechanism. Each player reports his type and then the optimal outcome o* is chosen based on 
the reported types. To ensure truthfulness, each player is charged the externality he imposes on others. If 
o-i = ai-gmax^^, ^y^, {/""'(Oj, o) is the outcome that would have been chosen without /'s input, then player / 
makes a payment of 

P, = 2 (V^'iGj, o-i) - U""\ej, o*)) , (5.1) 

for a combined utility of 

u""'{ei,o*)- Pi. 

In addition to subtracting payments from player /'s utility as above, we also need to consider the effect of 
payments on privacy. (The modelling in Section [37T] did not consider payments.) While it may be reasonable 
to treat the payments players make as secret, so that making the payment does not reveal information to 
others, the amount a player is asked to pay reveals information about the reports of other players. Moreover, 
multiple players might combine information from their payment requests to compromise the privacy of some 
other player. Therefore, we will require that the mechanism releases some public payment information n 
that enables all players to compute the payments they need to make, i.e. the payment Pj of player / should 
be a function of 9i, n, and o* . For example, n could just be the «-tuple {P\, . . . ,P„), which corresponds 
to making all payments public. But note that in the VCG mechanism described above, it suffices for n to 
include the value Wo - U""'{9i, o) for all outcomes o e O, since 

Pi = {Vo_, - u""\ei, o-i)) - {Vo- - u""'{ei, o*)) 

= maxo {{U""\9i, o*) - V'^Gi, o)) - {Vo- - Vo)) , 

which can be computed using just the Vo's, o* , and 0,-. Moreover, we actually only need to release the 
differences Vo* - Vo, and only need to do so for outcomes o such that Vo* - Vo < M, since only such 
outcomes have a chance of achieving the above maximum. (Recall that U°"\9i, o) e {0, 1, ... , M}.) This 
observation forms the basis of our mechanism, which we will show to be truthful for players that value 
privacy (under Assumption 13. II ). 

Before stating our mechanism, we summarize how we take payments into account in our modelling. 
Given reports 6' e 0" and randomness r, our mechanism Mi6';r) outputs a pair {o*,n), where o* € is the 
selected outcome and n is "payment information". Each player then should send payment Pj = P{9'.,o* ,n) 
to the mechanism. (The payment function P is something we design together with the mechanism M.) If 
player /'s true type is 9i, then her total utility is: 

UiiOi, o\n, M, e') = V'^'iOi, o*) - P{e[, o\n) + uf\9i, {o\n), M, ^l,)- 
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Note that we measure the privacy of the pair {o* ,n), since both are released publicly. 

To achieve truthfulness for players that value privacy, we will modify the VCG mechanism described 
above by adding noise to the values Vo- This yields the following mechanism: 

Mechanism 5.1. Differentially private VCG mechanism 
Input: profile € 0" of types, privacy parameter e > 0. 

1. Choose Ao from a (discrete) Laplace distribution for each outcome o. Specifically, we set Pr[/lo - 
k\ oc exp(-(6 • \k\)/{M ■ \0\)) for every integer k eZ. 

2. Calculate values Vg = TjJ U°"'i9j,o) + Ag + o/\0\ for each outcome o. (Recall that we set O = 
{0, . . . , \0\ - 1). The o/\0\ term is introduced in order to break ties.) 

3. Select outcome o* = argmax^ Vo- 

4. Set the payment information n = {{o, ¥„• - Vg) : Vo > V„* - M}. 

5. Output (o*,;t). 

Each player / then sends a payment of 

Pi = P{Gi,o*,n) = max{{U"'"{ei,o*) - U''"\ei,o)) - {Vo- - Vo)) . 

By standard results on differential privacy, the tuple of noisy values {Vo] is e-differentially private. Since 
the output {o* ,n) is a function of the Vo's, the output is also differentially private: 

Lemma 5.2. Mechanism 15. i I is e-differentially private. 

We now prove that the mechanism is truthful in expectation for players that value privacy (satisfying 
Assumption 13.11) . To do this, we use Lemma I3.10[ which shows that by taking e sufficiently small, the 
expected change in privacy utility from misreporting ff. instead of Ot can be made an arbitrarily small fraction 
of the statistical difference SD(A1(0,-, 0-,), A1(0., 0-0)- Thus, to show truthfulness in expectation, it suffices 
to show that the statistical difference is at most a constant factor larger than the expected decrease in utility 
from misreporting. That is, we want to show: 

= O {ElV^Xdi, M{9i, B.i)) - P{9i, M{6i, 9-i))] - ElV^XOi, M{e\, G-d) - P(,e'., M(0,-, 0_O)]) . 

To bound the statistical difference, we write M{9;r) - {M^{6;r), A^{9;r)), where At' gives the out- 
come o* and yVt^ gives the payment information n. Then we have: 

SD(M(0i, e-i), M{e'., d-d) < Pr[M(0,-, e^f, r) ^ M(0;, O.f, r)] 

< Pr[M\Gi, O-i, r) ^ M}{e\, d.f, r)] 

r 

+ Pr[M\ei, 9-i; r) = M^^;, 9-i; r) A M^{9i, 9-i; r) + h^(9\, 9-i; r)]. 

The next lemma bounds the statistical difference coming from the outcome: 
Lemma 5.3. 

PAM\9i,9-i;r) + M\9^^,9-i;r)\ 

r 

< \0\ ■ (m""'{9i, M\9i, 9-i)) - P{9i, M{9i, 9-i))] - E[[/""'(e,-, M\9\, 9-i)) - P{9\, M{9i, 9-i))i) . 
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Proof. It suffices to show that for every value of r, we have: 

I[M\ei, e.f, r) + M\e\, Q.^- r)\ (5.2) 
< Id • [U"'\eu M\eu d-r, r)) - P{9i, M{9i, G.u r)) - U""'{ei, M\e\, e-u r)) - P{e'i, M{9i, e-u r))) , 

where I[X] denotes the indicator for the event X. (Then taking expectation over r yields the desired result.) 

If M^i9i,9-i;r) = M^(9'.,9-i;r)], then both the left-hand and right-hand sides are zero. (Recall that 
the payment made by player / on an outcome o depends only on the reports of the other players and the 
randomness of the mechanism.) 

So consider a value of r such that M^(9i, 9-f, r) M^{9'., 9-i; r)] (i.e. where the indicator is 1). We can 
treat the Ag + ol\0\ term added to each Vq as the report of another player to the standard VCG mechanism. 
We know that 

U""'{9i, M\9i, 9.r, r)) - P{9u M{9i, 9.f, r)) - ^"'{9^ M{9'., 9.r, r)) - P{9'., M{9i, 9.r, r)) > 

because VCG is incentive compatible for players who don't have a privacy utility. Since the mechanism 
adds an o/\0\ term to V„ to avoid ties, the above inequality is strict. Moreover, the left-hand side is at least 
l/\0\, which establishes Inequality (15.21) . 

In more detail, let o* = M\9i, 9-r, r) and o' = M\9'., 9^i; r) for some o' i= o* . Write Wo = Zy^, Vj^'iGj, o)+ 
Ao + o/\0\ for each outcome o (Wg is just Vo excluding the report of player /), and o_,- - argmax^ Wg- Since 
the mechanism chose o* on report 9i, we must have 

Wo' + U""\9uo*) > Wo- + ^"'{91,0'). 

Since the fractional parts of the two sides are different multiples of 1 /\0\ (namely o* /\0\ ad o' /\0\), we have: 

Wo' + U""\9i,o*) > Wo' + U'"'\Gi,o') + \l\0\. 

Thus: 

U""\Gu M\9u 9.1, r)) - P{9i, M{9i, d-f, r)) - U""'{9i, o*) - {Wo_, - Wo-) 

> U'""{9i,o')-{Wo_,-Wo') + l/\0\ 

- U""'{9i, M{9\, 9.U r)) - P{9\, M{9u 9^i; r)) + l/\0\, 

establishing Inequality (15.21) . □ 

Now we need to prove a similar bound for the probability of misreporting only affecting the payment 
information n. We note that one trivial solution for handling payments is to only collect payments with a very 
small probability p, but increase the magnitude of the payments by a factor of I /p. In order for payments 
to not contribute more to the statistical difference than the outcome, we can take p to be the minimum 
possible nonzero value of the probability that a misreport can change the outcome (i.e. PrrCAt^^,, 9-i; r) + 
h^{ff.,Q-i\r)\). However, this quantity is exponentially small in n. This would make the magnitude of 
payments exponentially large, which is undesirable. (Our assumption that players are risk neutral seems 
unreasonable in such a setting.) However, it turns out that we do not actually need to do this; our mechanism 
already releases payment information with sufficiently low probability. Indeed, we only release payment 
information relating to an outcome o when Vg is within M of Vo' , and the probability that this occurs cannot 
be much larger than the probability that the outcome is changed from o* to o. 

Lemma 5.4. 

Pr[M\9i, 9-i; r) = M\9' 9-i; r) A M^{9i, G-f, r) ^ M^{9' G-f, r)] 

r 

< IMe'''^^^ ■ VAM\9i, 9-i; r) + M\9\, 9-i; r)], 

r 
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Proof. First observe that 

Vr[M\ei, G^i\ r) = M\e' O^r, r) A At^C^,-, e.f, r) + 1^{6' Q^u r)] 

r 

< Pr[M'(e,-, e-u r) = M\e'i, G-f, r) = oy A AfiOi, 9-r, r) ^ M\9'i, d.f, r) on 02I 

by which we mean that either (02, - V02) is released in one case but not the other or it is released in both 
cases but with different values. 

Fix 01 and 02 as above. If U''"Xei,oi)-U""'{9i,02) - U''"'{G'.,oi)-U''"'{9'.,02),thenPTr[M\ei,9-i;r) - 
M^(9'j, 9-i; r) = o\ A A1^(0,-, 9-i\ r) + h^(9\, 9-i\ r) on 02] = because the difference between Vo^ and Vo, is 
not changed by the misreporting. So assume that U""\9uOi)-U°''\9u02) U""\9'.,o\)-U""\9\,02);th&&& 
values must differ by at least 1 due to the discreteness assumption. Fix Ag - ko for + 02- Denote them as 
a vector = k^o^. Consider some value k^-^ such that when X^^ = ko2 we have M^{9i,9-i;{ko2,k-02)) - 
M\9'.,9^i;{ko2,k-02)) = oi and M^{9i,9^i;{ko^,k^o2)) + M^{9\,9^u(ko^,k-oJ) on 02. (If there is no such 
ko2 then the event has probability for this choice of k-02) Now consider increasing the value of ko2- Let 
ko2 be the minimum value such that either A1^(0,-, 0-,; (^02' ^-02)) - ^2 or Al^^p ^-i; (^02' ^-02)) - "2- At 
the first such value of ko2, only one of these two events will happen because U°"'(9i,oi) - U""\9i,02) and 
U°"'{9\,oi) - U""\9'.,02) differ by at least 1. Moreover, we have ko^ < kg^ + M because with Ag^ = ko^ 
we have Vo, - V02 < M for either report 9, or 9'-. Since Pr[/lo2 = k] oc exp(-6 • \k\/(M ■ \0\)), we have 
Pr[/lo2 = koj] < exp(-e/|0|) • Pr[/lo, = kg^]- Furthermore, there can be at most M such values of ko^ Thus, 

Pr[A.g^ = k.02 A M\9i, 9.r, r) = M\9-, 9.f, r) = oi A M^(9i, 9-i; r) + Af{9-, 9.i; r) on 02] 

< Me"^^\ PrU_„2 = k-02 A M\9u 9-i; r) + ^\\9^^, 9-i; r) A M\9i, 9-i; r) e {01,02) A M\9f^, 9-i; r) e {01,02)] 

Summing over all oi 02 and k-g^ gives us the lemma. The factor 2 in the lemma statement is due to the 
fact that 

PrU_02 = k-o^ A M\9i, 9-i; r) + ^\\9^^, 9-i; r) A M\9i, 9-i; r) € {01,02) A M\9\, 9-i; r) e {01,02)] 

Oii=02,ko2 

= 2 Pr[M\9i, 9-i; r) + M\9i, 9-i; r)]. 

r 

□ 

Combining Lemmas 15.31 and [54l we have 
^\:){M{9i,9-i\M(0i,9-i)) 

< |0| • (1 + 2Me^/l^l) • (E[t/^"'(6',-, M^f;, G-i)) - PiOi, M{9i, 9-i))] - E[U'""i9i, MH^;, 0-i)) - P{9-, M{9i, 9- 
Applying Lemma [3 . 1 01 gives us our theorem. 

Theorem 5.5. Mechanism 15. 1 1 is truthful in expectation and individually rational for player i provided that, 
for some function Fi: 

1. Player i's privacy utility Uf""" satisfies Assumption \3. 1 \ with privacy bound function Fi, and 

2. 2Fi{e') ■ \0\ ■ (1 + IMe^'^'^h < 1. 

In particular, if all players have the same privacy bound function Fi - F, it suffices to take e to be a 
sufficiently small constant depending only on M and \ 0\ (and not the number n of players). 
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Truthfulness in expectation relies on players being risk neutral in terms of their privacy utility so that it 
is acceptable that with some low probability, the privacy costs are larger than their utility from the outcome. 
An alternative approach that does not rely on risk neutrality is to switch from the VCG mechanism to the 
Expected Externality mechanism. This is a variant on VCG that, rather than charging players the actual 
externality they impose as in Equation (15.11) . charges them their expected externality 



Ee~p 



J]u""\ej,o.i)-u'"'\0j,o*) 



(5.3) 



where p is a prior distribution over 0", o_, is the outcome that maximizes the sum of outcome utilities of 
players other than /, and o* is the outcome that maximizes the sum of outcome utilities when / is included. 
Essentially, / is charged the expected amount he would have to pay under VCG given the prior over types. 
Since the amount players are charged is independent of the actual reports of others, collecting payments 
has no privacy implications. (The proof of Lemma [531 shows that if we only consider the privacy cost of 
the outcome, then we have universal truthfulness.) However, the use of a prior means that the truthfulness 
guarantee only holds in a Bayes-Nash equilibrium. On the other hand, this mechanism does have other nice 
properties such as being adaptable to guarantee budget balance. 

Finally, we show that Mechanism [5?T] approximately preserves VCG's efficiency. 

Proposition 5.6. For every profile of types 6 e &", if we choose o <— Ai{9) using Mechanism I5.il then we 
have: 

1- Pr [2; Ul^'iOi, o) < maxo' (Z; t/f"'(0;, o')) - a] < 2\0\ ■ e-^A/(2M.|0|)^ 
2. E [Z,- U'!"\ei, o)] > max,- (i:,- Uf^'iOi, o')) - 0{\0\^ ■ M/e). 

Thus, the social welfare is within (5(|0p) ■ M/e of optimal, both in expectation and with high probability. 
Like with Proposition 13.71 these bounds are independent of the number n of participants, so we obtain 
asymptotically optimal social welfare as « — > oo. Also like the discussion after Proposition I3.7[ by taking 
e = e{n) to be such that e = o(l) and e = a){l/n) (e.g. e = 1/ ^Jn), the sum of privacy utilities is also a 
vanishing fraction of n (for participants satisfying Assumption 13.11 with a common privacy bound function 
F). 

Proof of Proposition \5.6\ Let o** = argmax, U""\Oj, o). For the output o* of Mechanism 15. II we have: 

Y,Uf\ej,o*) = Vo' - - o* /\0\ 

j 

> V,.. - A,. - o* /\0\ 

= (max Uf'iOj, o)) + Ao» + o** /\0\ - i,,. - o* /\0\ 

> ( max UT'idi, o)] - max{Ao - Ao» ) - 1 . 

\ o J / o 

So we are left with bounding maXo(Ao - Ag" ) for random variables Ao such that Pr[Ao = k] oc exp(-e • |^| /(M ■ 
\0\)). For each o, 

PrU, - Ao" > A] < PrU, > A/2] + Pr[^., < -A/2] 
< 2exp(-eA/(2M- |0|)). 
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Taking a union bound over the choices for o completes the high probability bound. For the expectation, we 
have: 



E[max(/lo - /lo")] < E 



\0\-0{M-\0\le). 



6 Discussion 

We now provide a Bayesian interpretation of our privacy model, discuss several limitations of the model, 
and compare our notion of truthfulness with that in Xiao MXiallll . 

6.1 Bayesian Interpretation 

Our modelling of privacy in Section [37T] is motivated in part by viewing privacy as a concern about other's 
beliefs about you. Fix a randomized mechanism At : 0" x — > O, a player / € [«], and a profile € 0""' 
of other player's reports. Suppose that an adversary has a prior T, on the type of player /, as well as a prior 
S ; on the strategy cr : ^ played by player /. Then upon seeing an outcome o from the mechanism, the 
adversary should replace with a posterior computed according to B ayes' Rule as follows: 

Pr[r;-0;] = Prm = e,|M(5,(r,),e-,) = o] 

Pr[M(5,(r,),^-0 = o|r,- -e,] 



= Pr[r, = e,] 



Pr[M5,(r,),M = o] 



Thus if we set x = max^^/ e"g0(Pr [Mi6',6-i) = o] /Pr [M{0",6-i) = o]) (the argument of Ft in Assump- 
tion [TT]), then we have 

• Pr[r,- - 9i] < Pr[r; = Oi] < x ■ Pr[r,- = 0,]. 

50 if X is close to 1, then the posterior T. is close to the prior J;, having the same probability mass functions 
within a factor of x, and consequently having statistical difference at most x- 1. Thus, Assumption ^, ll can be 
justified by asserting that "if an adversary's beliefs about player / do not change much, then it has a minimal 
impact on player /'s privacy utility." One way to think of this is that player / has some smooth value function 
of the adversary's beliefs about her, and her privacy utility is the difference of the value function after and 
before the Bayesian updating. This reasoning follows the lines of Bayesian interpretations of differential 
privacy due to Dwork and McSherry IIDwo06l1 . (See also l,KS08 1.) 

This Bayesian modelling also explains why we do not include the strategy played by / in the privacy 
utility function U^"^'. How a Bayesian adversary updates its beliefs about player / based on the outcome 
do not depend on the actual strategy played by /, but rather on the adversary's beliefs about that strategy, 
denoted by 5 , in the above discussion. Given that our mechanisms are truthful, it is most natural to consider 

51 as the truthful strategy (i.e. the identity function). If player / can successfully convince others that she 
will follow some other strategy S,, then this can be implicitly taken into account in Uf"^'. (But if player / 
further deviates from 5,, this should not be taken into account, since the adversary's beliefs will be updated 
according to Si.) 

Our modelling of privacy in terms of other's beliefs is subject to several (reasonable) critiques: 

• Sometimes a small, continuous change in beliefs can result in discrete choices that have a large impact 
in someone's life. For example, consider a ranking of potential employees to hire, students to admit. 
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or suitors to marry — a small change in beliefs about a candidate may cause them to drop one place in 
a ranking, and thereby not get hired, admitted, or married. On the other hand, the candidate typically 
does not know exactly where such a threshold is and so from their perspective the small change in 
beliefs could be viewed as causing a small change in the probability of rejection. 

• Like in differential privacy, we only consider an adversary's beliefs about player / given the rest of the 
database. (This is implicit in us considering a fixed 9-i in Assumption 13. 11 ) If an adversary believes 
that player /'s type is correlated with the other players (e.g. given by a joint prior T on 0"), then 
conditioning on T-i = 9-i may already dramatically change the adversary's beliefs about player /. For 
example, if the adversary knew that all n voters in a given precinct prefer the same candidate (but don't 
know which candidate that is), then conditioning on O-i tells the adversary who player / prefers. We 
don't measure the (dis)utility for leaking this kind of information. Indeed, the differentially private 
election mechanism of Theorem 13.61 will leak the preferred candidate in this example (with high 
probability). 

• The word "privacy" is used in many other ways. Instead of being concerned about other's beliefs, one 
may be concerned about self-representation (e.g. the effect that reporting a given type may have on 
one's self-image). 



6.2 Comparison to Xiao's Privacy Measure 

Xiao BXialll measures privacy cost as being proportional to the mutual information between a player's type 
and the outcome of the mechanism, where the mutual information between two jointly distributed random 
variables X and Y is defined to be 



I{X; Y) - H{X) + H(Y) - H{X, Y) ^ E 

(x,y)~(X,Y) 



Pr[iX,Y) = ix,y)] 

log 



Pr[X = x] ■ Pr[Y = y] 



where H{Z) = E2~z[log(l/Pr[Z = z])] is Shannon entropy. In order for the mutual information to make 
sense, Xiao assumes a prior T, on a player's type and the privacy cost also depends on the strategy cr, : ^ 
played by player /. Accordingly his measure of outcome utility also takes an expectation over the same 
prior Ti, resulting in the following definition. 

Definition 6.1. Let be a type space, O an outcome space, U""' : x O — > R an outcome-utility function, 
and let y,- > be a measure of player /'s value for privacy, and let be a prior on player Ts type. Then a 
randomized mechanism M : Q" xK ^ O is Xiao-truthful for player / if for all strategies cr, : ^ 0, and 
all profiles d-i of reports for the other players, we have: 

E[U'""{Ti, M{Ti, O-i))] - Vi ■ l{Tf, M{Ti, e.d) > ElU^^'iTi, M{cTi{Ti), 9-i))] - v,- • /(r,-; M((r,(r,), 9-i)), 

where the expectations and mutual information are taken both over T, and the random choices of M. 

While mutual information is a natural first choice for measuring privacy, it has several disadvantages 
compared to our modelling: 

• It treats all bits of information the same, whereas clearly one may have different concerns for different 
aspects of one's private type. For example, one may be a lot more sensitive about the high-order bits 
of one's salary than the low-order bits. 

• It forces us to consider a prior on a player's type and take expected utility over that prior. Contrast this 
with the Bayesian interpretation of our privacy modelling described in Section 16.11 There the prior 
Ti is only an adversary's beliefs about player /'s type, which may be completely incorrect. Player /'s 
utiUty is computed with respect to his fixed, actual type 0, . 
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As mentioned earlier, Xiao's modelling is not a special case of ours, particularly because his modelling 
of privacy depends on the actual strategy cr, followed by player /. Nevertheless, we can show that truthfulness 
with respect to our definitions implies truthfulness with respect to his: 



Theorem 6.2. If A\ is truthful in expectation for player i with respect to the privacy utility function 

uf\euo,M,e.i) = -Vi-\oi 



jpnv,^ .... Vv{M{Gi,B.i)) = o] 



vv{M{Ti,e-i) = oy 

then Ai is Xiao-truthful for player i with prior Ti. 

We note that the privacy utility function in Theorem [6i2] satisfies Assumption 13 . II with F,(x) = y,- • log(x), 
and hence all of our truthful mechanisms are also Xiao-truthful. 

Proof. First note that, by B ayes' Rule, 

U. (6i,o,M,6-i) = -y,-log : = -v,-log : . (6.1) 

Thus, 

- Vi ■ KTi- M{Ti, e.i)) = E [uf\Ti, M{Ti, M, 9-i)] . (6.2) 

To relate the mutual information under strategy cr,- to Uf"^', we use the notion of KL divergence between 
two random variables X and Y, which is defined as 



KL(X\\Y)= E 

x~X 



log 



Pr[F = y] 



We will use the fact that for a random variable W jointly distributed with X and Y, we have KL{W, X\\W, Y) > 
KL{X\\Y). (This follows from the Log-Sum Inequality llCT9n .) Taking W - Ti, X = M{cri{Ti),e^i), and 
Y = M(Ti, 9-i), we have 

I{Ti;M{(Ti{Ti),e.i)) 

> KTi- M{(Ti{Ti), 9-i)) - KL{Ti, M{cri{Ti))\\Ti, M{Ti)) + KL(M((ri(Ti))\\M{Ti)) 

PT[{Ti,M{Ti,9-i))^{9i,o)] 



E 

{e„o)~{T„M(o-,(T,),e-,)) 



l0£ 



PT[Ti = 9i]-PT[M{Ti,9.i) = o] 
Combining this with Equation (16.11 ). we have: 

- Vi ■ liTi- M{(Ti{Ti), 9.i)) < E [uf'\Ti, o, M(cr;(r,-), 0-/)] . (6.3) 

By truthfulness in expectation with respect to Uf"^', we have 

E[U''"XTi, M{Ti, 9.i))] + E [uf\Ti, M{Ti, 9^i), M, 0_,)] (6.4) 
> E[U""XTi, MicTiiTi), 9.i))] + E [uf\Ti, o, M{cTi{Ti), 9-i, 9.i)] 
Combining Inequalities ( 16.21 ). (16.31 ). and (16.41 ) completes the proof. □ 
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